Last Updated 27 June 2018
The PETA International Science Consortium Ltd. (the Consortium) believes strongly in protecting the integrity and privacy of personal data gathered from our supporters, visitors to our websites, and others. For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation addressing data protection, the Data Controller is the Consortium.
This Policy sets out why we collect personal data about individuals and how we use that data. It also explains the legal basis for this and the rights you have regarding the way your personal data is used.
We may change this Policy from time to time. If we make any significant changes, we will advertise this on the websites or contact you directly with the information. Please check this page occasionally to make sure you are happy with any changes.
If you have any questions about this Policy or concerning your personal data, please contact the data protection agent via e-mail at [email protected] or by writing to the postal address below:
Data Protection Agent
8 All Saints Street
Exclusion of External Content and Websites From This Policy
This Policy does not extend to external websites linked to from or external content embedded in our websites. Please check with the organisations that own and/or operate those websites for their policies regarding data privacy, including the use of “cookies”.
What Personal Data Does the Consortium Collect?
The type and amount of personal data we collect depends on why you are supplying it to us.
The personal data we collect when you make an enquiry may include your name, e-mail address, postal address, affiliation, and phone number.
When you supply personal data to us (for example, if you register to attend a webinar or an event or enter a contest), in addition to asking for your name and contact details (your postal address, e-mail address, and phone number), we may also ask you for additional information about yourself, such as your reasons for attending the event or entering the contest or information about your background, such as your educational achievements and experience using non-animal test methods.
You are always in control regarding the additional personal data you provide us with and can decline to provide such data.
If the postal contact information you supply to us is incomplete or contains errors, we may use services such as those provided by the Royal Mail to correct your address details in order to enable us to send you information about our work and ways you can get involved.
We may also collect any personal data provided by you that is contained in or regarding any communication you send to us, whether via e-mail, phone, or post, as may be necessary to enable us to communicate with you better in the future and to record the communication preferences you state to us.
You may not provide us with the personal information of anyone but yourself and any child of whom you are the parent or legal guardian.
How We Collect Personal Data
We may collect personal data from you whenever you contact us or have any involvement with us, such as when you do any of the following:
- Visit our websites (See the information about the use of “cookies” under the heading “Do We Use ‘Cookies’ on Our Websites?” below.)
- Enquire about our activities or services
- Sign up to receive news about our activities
- Send personalised letters or e-mail messages
- Post content on our social media sites
- Attend a meeting with us and provide us with information
- Take part in our webinars or events
- Participate in contests, giveaways, or surveys
- Contact us in any way, including online or via e-mail, phone, SMS, social media, or post
Where We Collect Personal Data From
We collect personal data in the following circumstances:
- You give it to us directly. You may provide personal data when you ask us for information, attend a webinar, participate in a contest, attend other events, or contact us for any other reason.
- You have given other organisations permission to share it. Your personal data may be supplied to us by other organisations if you have given them your permission to do so. These organisations might include, for example, a charity working with us or a third party from which you have bought a product or service. The personal data we receive from other organisations depends on your settings or the option responses you have provided them with.
- You use our websites. When you use our websites, personal data about you is recorded and stored. See the information about the use of “cookies” under the heading “Do We Use ‘Cookies’ on Our Websites?” below.
- It is available on social media. Depending on your settings or the privacy policies of social media and messaging services you use (such as Facebook, Instagram, or Twitter), you might give us permission to access personal data from those accounts or services.
- It is available from other publicly accessible sources, and we have legitimate interests in collecting and using it.
How Do We Use the Personal Data We Collect?
We will use your personal data in a number of ways, which reflect the legal basis applying to the processing of your data. These may include the following:
- Providing you with the information or services you have asked for
- Sending you communications – with your consent – that may be of interest, including information about our activities, non-animal testing methods and strategies, and upcoming contests, events, or webinars
- Carrying out, when necessary, our obligations under any contract between us
- Seeking your views on our services or activities so that we can make improvements
- Maintaining our organisational records and ensuring we know how you prefer to be contacted
- Analysing the operation of our websites and your website behaviour in order to improve the websites and their usefulness
Our Legal Basis for Processing Your Personal Data
The use of your personal data for the purposes set out above is lawful because one or more of the following applies:
- Where you have provided us with personal data for the purpose of requesting information or requesting that we carry out a service for you, we will proceed on the basis that you have given consent for us to use the data for that purpose, based on the way that you provided us with the data. You may withdraw your consent at any time by e-mailing us at [email protected]. This will not affect the lawfulness of the processing of your personal data before your withdrawal of consent is received and acted upon.
- It is necessary for us to hold and use your personal data so that we can carry out our obligations under a contract entered into with you or to take steps you ask us to take prior to entering into a contract.
- It is necessary for compliance with our legal obligations, such as processing pursuant to a UK law or a court order.
- Where the purpose of our processing is the provision of information or services to you, we may also rely on the fact that it is necessary for your legitimate interests that we provide the information or service requested, and given that you have made the request, we would presume that there is no prejudice to you in our fulfilment of your request.
- We have identified some other legitimate interest in using the personal data.
If you want to contact us about your marketing preferences, please e-mail [email protected].
How Long Will We Keep the Personal Data We Have Collected?
We will hold your personal data for as long as it is necessary for the relevant activity. Please see our Data Retention Policy.
How We Keep Your Personal Data Safe
We are committed to ensuring that personal data is dealt with properly and securely and in accordance with the GDPR and other related legislation. We are also committed to the six data protection principles set forth in the GDPR and to ensuring that at all times, anyone dealing with personal data is mindful of an individual’s rights under the law. In furtherance of these commitments, we will do the following:
- Inform individuals of the purpose of collecting any information from them, as and when we ask for it
- Process and disclose personal data in accordance with the GDPR and other related laws
- Be responsible for checking the quality and accuracy of the information
- Regularly review the records held to ensure that information is not held longer than is necessary and that held in accordance with the Data Retention Policy
- Ensure that when information is authorised for disposal, this is done appropriately
- Ensure appropriate security measures for safeguarding personal information, whether it is held in paper files or on our computer network, and follow the relevant security policy requirements at all times
- Share personal information with others only when it is necessary and legally appropriate to do so
- Set out clear procedures for responding to requests for access to personal information known as subject access requests
- Report any breaches of the GDPR in accordance with the GDPR
We will take reasonable steps to ensure that our team and third-party processors have access to personal data only when it is necessary for them to carry out their duties. Our team and third-party processors will be made aware of their duties under the GDPR. We will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.
How We Protect Your Personal Data
We take reasonable and appropriate administrative, technical, organisational, and physical security and risk management measures in accordance with applicable laws to ensure that your personal data is adequately protected against accidental or unlawful destruction, damage, loss, or alteration; unauthorised or unlawful access, disclosure, or misuse; and all other unlawful forms of processing of your personal data in our possession.
Securing personal data is an important aspect of protecting privacy. We apply policies, standards, and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to applicable personnel across the organisation to support a secure operating environment.
We pay specific attention to the protection of personal data and the risks associated with processing this data.
The measures we take include the following:
We lock doors and filing cabinets, control access to our facility, and apply secure destruction to media containing your personal data.
We use network- and information-security technology such as anti-virus and endpoint protection software, intrusion detection, and data loss prevention, and we monitor our systems and contractors to ensure that they comply with our security policies.
We conduct regular general, as well as role-specific and targeted, training and awareness programmes on security and privacy to make sure that our employees and contractors understand the importance of protecting your personal data and that they acquire and maintain the necessary knowledge and skills to protect it in practice. Our organisational policies and standards also guide our handling of your personal data. Particular care is given to the security and privacy of sensitive personal information. Access to personal data is strictly controlled and is given only to those employees and contractors whose specific job duties require access to the data, and only to the extent required. Access is controlled through a number of user identification and authentication methods both internally and via remote access.
Personal Data Breaches
We take reasonable measures to prevent personal data breaches. If these were to occur, we have a process in place to enable us to take swift action within our responsibilities. This action will be consistent with the role we have in relation to the services or processes affected by the breach. In all cases, we will work together with affected parties to minimise effects, to make all notifications and disclosures that are required by applicable laws or otherwise warranted, and to take action to prevent future breaches. Our systems containing personal data are monitored 24/7 across our IT platforms to ensure that any incident that could affect the IT infrastructure and/or personal data is dealt with in a timely manner. System monitoring includes, but is not limited to, loss of power or connectivity, capacity or performance issues, and intrusion attempts. The system monitoring tools alert IT personnel via e-mail and/or text, and IT personnel triage the incident to confirm its severity and commence fixing the issue.
Storage of Your Personal Data
The data we collect from you may be stored, with risk-appropriate technical and organisational security measures applied to it, on in-house as well as third-party servers.
While we strive to safeguard your personal data, we cannot guarantee the security of any data you provide, and you provide it at your own risk.
Who Has Access to Your Personal Data?
The following may have access to your personal data:
- Third parties who supply services to or for us – for example, sending mailings or collecting, storing, or processing data – may have access. We select our third-party service providers with care. We provide them with the information that is necessary for providing the relevant service, and we have an agreement in place with each one that requires them to operate with the same care regarding data protection as we do.
- Third parties may have access if we run an event in conjunction with them. We will let you know how your data is used when you register for any event.
- Analytics and search engine providers that help us to improve our websites and their use may have access.
- PETA-named affiliates may have access if we have a legitimate interest in sharing it with them.
Because of financial or technical considerations, the personal data you supply to us may be transferred to countries outside the European Economic Area (EEA), which are not subject to the same data protection regulations as those in the EEA. We may do this for the purpose of storage within our customer-relations management or other software or for the purpose of data analysis. We meet our obligations under the GDPR by ensuring that such data has equivalent protection as if it were being held within the EEA. We do this by ensuring either that any third parties processing your data outside the EEA benefit from an adequacy determination for GDPR purposes or, where appropriate, that we have entered into a Data Processing Agreement with the third party that contains appropriate safeguards using model European Union clauses.
We may also disclose your personal data if we are required to do so under any legal obligation and may use external data for the purposes of fraud prevention and credit risk reduction or where doing so would not infringe your rights and is necessary and in the public interest.
Other than in these circumstances, we will not share your personal data with other organisations without your consent.
Our website allows you to share content to LinkedIn and Twitter using those platforms’ tools as well as by other means and to other platforms using the AddThis tool:
Keeping Your Personal Data Up to Date
We would really appreciate it if you would let us know if your contact details or other personal data change. You can do this by contacting us at [email protected] or writing to the following address:
Do We Use ‘Cookies’ on Our Websites?
We use “cookies” on some webpages. A “cookie” is a small piece of data that is stored on a visitor’s hard drive but does not itself contain any personal information. Cookies enhance visitors’ experiences by ensuring that they don’t have to log in or provide information each time they revisit a Consortium webpage and by customising content based on their interests. Visitors can configure their browsers to be alerted when a website is attempting to send a cookie and can refuse it, although some pages will not function properly if cookies have not been accepted.
You have the right to request details regarding the processing activities that we carry out in relation to your personal data. Such requests must be made in writing. To make a request, contact the data protection agent via e-mail at Da[email protected] or by writing to the following address:
Data Protection Agent
8 All Saints Street
You also have the following rights:
- The right to access your personal data
- The right to request rectification of data that is inaccurate or out of date
- The right to erasure of your data (known as the “right to be forgotten”)
- The right to object to processing necessary for the purposes of legitimate interests pursued by us
- The right to restrict the way in which we are dealing with and using your data
- The right to request that you be provided with your data in a format that is secure and suitable for reuse (known as the “right to portability”)
- Rights in relation to automated decision-making and profiling, including profiling for marketing purposes
- The right to lodge a complaint with a supervisory authority
All these rights are subject to certain safeguards and limits or exemptions. To exercise any of these rights, contact us in writing at the above e-mail or postal address. We will process your request without delay and, if appropriate, respond in full no later than one month from our receipt of the request. We may ask for additional information necessary for confirming your identity and processing the request before processing the request in full. Requests will be denied in instances in which an exemption in the GDPR or another law applies.
If you are not happy with the way in which we have processed or dealt with your personal data, you can complain to the Information Commissioner’s Office. Further details on reporting a concern can be found here.
This Policy may be changed from time to time. If we make any significant changes, we will advertise this on our websites or contact you directly with the information.
Please check this Policy each time you consider giving your personal information to us.
Do You Have Additional Questions?
Data Protection Agent
8 All Saints Street